2017 Annual Performance Report by National Privacy Commission

PRODUCED BY The National Privacy Commission CONTRIBUTORS Office of the Privacy Commissioner Public Information and Assistance Division Finance and Administrative Office Data Security and Compliance Office Legal and Enforcement Office Privacy Policy Office Kristine Danica S. Adis Alec Jean G. Del Castillo Anella Vianchi G. Arevalo DESIGN AND LAYOUT Charlene Mae Muyula Donna A. Escarcha PHOTO Lauro M. Montellano, Jr. Katrice A. Obrero Pauleen Joy T. Saavedra EDITOR Olivia Khane S. Raza Joseph U. Vizcarra

CONTENTS

06 08 10 16 18

PRIVACY COMMISSIONERâ&#x20AC;&#x2122;S NOTES THE NATIONAL PRIVACY COMMISSION Vision, Mission and Functions The Senior Leadership of the NPC

COMPLIANCE AND MONITORING

ENFORCEMENT

RULE MAKING

COMPLAINTS AND INVESTIGATION

ADVISORY Advisory Opinions Position Papers and Comments

PUBLIC EDUCATION

INTERNAL MANAGEMENT

24 26 28 30

PRIVACY COMMISSIONER’S NOTES Around two years ago, the National Privacy Commission set out to pursue its mission. Our goal, then and now, can be distilled into this philosophical vision: To bring life to the Data Privacy Act—to make it permeate the daily practice of Filipino individuals and organizations; to establish a regime of vigilance, accountability, and ultimately, trust; to have data privacy and security become a driving force of stability, progress, and nation-building. For many, the NPC’s release of its Five Pillars of Data Privacy Accountability and Compliance signaled the start of the journey towards compliance and accountability. In June 2017, most Filipinos did not know what “Personal Data Privacy” meant. Only 13% were aware of the Data Privacy Act and only 11% at that time had heard of the National Privacy Commission. As will be demonstrated in our 2017 Annual Report, these figures have surely increased. It is safe to attribute the growing number of concerns to the parallel growth of awareness of data subjects. By pursuing our Filipino data subjects, they are now better protected, and more so, empowered. It is worthwhile to look back on how we have embarked to empower Filipinos to protect personal data through this Report. Our stakeholders have been part of this journey. For me as Privacy Commissioner, I found it important to set the direction of the NPC to achieve meaningful results, and more importantly, to set the values we will hold dear to guide us in this arduous task. In all humility I must say we have accomplished quite a sum in these areas these past two years. I have been blessed with a hardworking and dedicated team of professionals who were all equal to the challenge. Beyond all of the figures and inventory of what we’ve done so far as documented in this Report, is a simple synthesis: Two years ago, we set out to do a job. We realized that we can only do it by tapping into the energies of our many stakeholders. We planned, we toiled, and here we are now—lengthening our strides and emerging as one of the most promising data sectors in the world. Two years ago, only a handful of local experts were talking about data privacy. Today, it has become a buzzword in Philippine business circles. In as little as two years, the Data Protection Officer has emerged as the hottest new profession in town and many of our citizens, especially youngsters, are quickly catching up on what data privacy is all about. This is proof positive that our strong and close collaboration with our stakeholders is effective. We continue to move in the right direction: Forward, upward, faster and more efficiently towards a culture of trust and resiliency.

2017 MILESTONES

PRIVACY COMMISSIONER’S NOTE

ABOUT US The National Privacy Commission or NPC is the countryâ&#x20AC;&#x2122;s privacy watchdog; it is an independent body mandated to administer and implement the Data Privacy Act of 2012, and to monitor and ensure compliance of the country with international standards set for data protection. The Commission is headed by a Privacy Commissioner who serves as the Chairperson. The Privacy Commissioner is assisted by two Deputy Privacy Commissioners.

VISION

MISSION

A world-class regulatory and enabling agency upholding the right to data privacy, ensuring personal data protection while promoting the free flow of information; committed to excellence, driven by a workforce that is highly competent, futureoriented, and ethical, towards a competitive, knowledge-based, and innovative nation.

We shall continuously deliver services to: 1 Be the authority on data privacy and protection, providing knowledge, know-how and relevant technology; 2 Establish a regulatory environment that ensures accountability in the processing of personal data and promotes global standards for data privacy and protection; and 3 Build a culture of privacy through people empowerment that enables and upholds the right to privacy and supports free flow of information.

2017 MILESTONES

The NPC is an attached agency of the Department of Information and Communications Technology for policy and program coordination purposes, but is completely independent in the performance of the following functions: RULE-MAKING develop, promulgate, review or amend rules and regulations for the effective implementation of the Republic Act No. 10173 or the Data Privacy Act (DPA) of 2012

ADVISORY

ENFORCEMENT

serve as the advisory body on matters affecting protection of personal data

effectively implement the DPA, its Implementing Rules and Regulations and issuances, and enforce its Orders, Resolutions or Decisions, including the imposition of administrative sanctions, fines, or penalties

PUBLIC EDUCATION inform and educate the public on data privacy, data protection, and fair information rights and responsibilities COMPLIANCE AND MONITORING

COMPLAINTS AND INVESTIGATIONS adjudicate on complaints and investigations on matters affecting personal data

monitor and ensure compliance for the effective implementation of the DPA

THE NATIONAL PRIVACY COMMISSION

RULEMAKING

ADVISORIES

THE PRIVACY POLICY OFFICE The Privacy Policy Office (PPO) is in the forefront of defining policies, standards, rules and regulations pertaining to data privacy and protection of personal data.

It strives for the empowerment of the people by providing knowledge and know-how on data privacy and data protection, and aims to contribute to education, innovation, and social protection in a globally competitive knowledge economy and data driven society. The PPO is responsible for coordinating with government regulatory agencies and data privacy regulators in other countries to develop privacy policy

standards for the protection of personal information in the government and private sector, and to facilitate cross-border enforcement of data privacy protection. Likewise, it is PPO’s task to review agreements and policies which may have privacy implications, as well as provide advisory and legal opinions on matters related to data privacy concerns. Under the PPO are two divisions: the Policy Development Division and the Policy Review Division.

The PPO is tasked with the development and recommendation of policies to uphold the data privacy of individuals in ICT systems in both public and private sectors. These advisories elaborate further the key concepts to assist organizations and individuals’ general understanding of the DPA. Advisories issued also provide guidance on significant public interest issues with data privacy implications. This 2017, the PPO developed an advisory on the Designation of Data Protection Officers (DPO).

2017 MILESTONES

Likewise, the advisory on Access to Personal Data Sheet (PDS) of Government Personnel was issued. The Advisory harmonized the principles of transparency and accountability ensured by the right to information, and the right to privacy, arising from the implementation of the Executive Order on the Freedom of Information on one hand, and the DPA on the other.

NPC ADVISORY NO. 2017-01 Designation of Data Protection Officers (DPO)

NPC ADVISORY NO. 2017-02 Access to Personal Data Sheets of Government Personnel

NPC ADVISORY NO. 2017-03 Guidelines on Privacy Impact Assessments

COORDINATION The NPC, through the PPO, became part of several task force and technical working groups, such as the InterAgency Task Force formed by the Civil Service Commission (CSC) to review the Statement of Assets, Liabilities and Net Worth (SALN) form to be in sync with the provisions of the DPA, as well as the Technical Working Group for the Philippine Identification System (PhilSys) spearheaded by the Philippine Statistics Office (PSA) for the crafting of the National ID System. The PPO participated in numerous meetings, orientations, and consultations with different stakeholders from the government and the private sector primarily to explain and clarify the provisions of the DPA, its IRR, and the issuances of the NPC. Stakeholders’ main concern were regarding their programs and activities

This emphasized the need for PICs and PIPs to appoint a DPO who will be in charge of ensuring the organization’s compliance with the DPA.

RULE MAKING

that may have data privacy issues and implications and how they may update current practices and procedures to be in tune with the Data Privacy Act. Personnel from PPO also acted as resource speakers on data privacy on orientations, trainings, and similar activities. This consisted of the Data Protection Officers’ Summits, various privacy impact assessment workshops, DPO briefings, stakeholderinitiated briefings, roadshows, and caravans. Pursuant to its mandate to coordinate with data privacy authorities and other accountability agents, PPO personnel likewise attended international conferences and fora relating to data privacy and personal data protection. This included participation in conferences and meetings

organized by Asia Pacific Privacy Authorities (APPA), International Association of Privacy Professionals (IAPP), International Conference of Data Protection and Privacy Commissioners (ICDPPC), Council of Europe (COE), and Asia-Pacific Economic Cooperation (APEC). This provided an opportunity for PPO to be in-theknow on relevant updates and international best practices, share insights and experiences with other data privacy regulators and privacy professionals, and most importantly, to effectively utilize the knowledge gained in these conferences for the Office’s core and strategic functions, in support of NPC’s vision of being a world-class regulatory and enforcement agency, upholding the right to privacy and data protection while ensuring the free flow of information.

DATA SECURITY AND TECHNOLOGY STANDARDS DIVISION The Data Security and Technology Standards Division (DSTSD) serves as the backbone of the National Privacy Commission (NPC). Primarily, it coordinates with other government agencies, the private sector and international bodies to develop the most appropriate privacy and data protection standards recognized by the Information and Communications Technology (ICT) industry for organizational, physical and technical security measures. Moreover, it analyzes technological trends and developments and conducts risk assessment of existing and emerging technologies.

Philippine Standards (BPS) TC 60 (Technical Committee on Information Technology) monthly meetings. TC 60 is the mirror committee of SC 27 in the Philippines. In addition, DSTSD joined three (3) Technical Working Group (TWG) Meetings regarding National Security Issues on Government-Issued Documents at the National Security Council (NSC).

COORDINATION In line with the NPC’s function to monitor and ensure the compliance of the organizations with local and international standards set for data protection, representatives from the DSTSD were sent to different meetings and engagements. They are tasked to present the NPC’s position on various topics and issues and coordinate the agency’s projects.

CROSS BORDER ENGAGEMENT Regional and global meetings are avenues for the NPC to be updated on the current trends and developments in data privacy and expand its

partnership with the data protection authorities in other nations and jurisdictions. In line with this, DSTSD participated in the SC 27 Plenary and Working Group Meetings in Hamilton, New Zealand last April and Berlin, Germany last October-November. Moreover, last October DSTSD took part on the Seminar in Capacity-Building for Compliance with Crossborder Privacy Rules (CBPR) System spearheaded by AsiaPacific Economic Cooperation (APEC) held at Taipei, Taiwan. The purpose of this seminar is to advance work on discussion and promotion of participation CBPR System.

NATIONAL ENGAGEMENT To support the NPC in performing its function of coordinating with other government agencies and the private sector on efforts to formulate and implement plans and policies to strengthen the protection of personal information in the country, DSTSD keenly took part in various meetings, events and seminars. DSTSD contributed to the Development of e-Government Masterplan 2017-2033, under the Focus Group Discussion of Enterprise Network Administration and Identity Management System. DSTSD attended the Department of Trade and Industry (DTI) – Bureau of

2017 MILESTONES

RULE MAKING

Furthermore, DSTSD participated in the quarterly meetings of Task Force on Big Data at the Philippine Statistics Authority (PSA). Last May, DSTSD attended Joint Cybersecurity Working Group Meetings. They have also provided inputs to the Ease of Doing Business (EODB) Exploratory support exercise together with other government agencies namely, Department of Trade and Industry (DTI), National Competitiveness Council (NCC), Department of Information and Communications Technology (DICT) and different Social Agencies. At the same time, the division attended a public hearing on DTI’s Department Administrative Order (DAO) no. 10-09 3 entitled “Prescribing Rules

Governing the Accreditation of Certification Authorities for Electronic Signatures”. A month after, the team attended the meeting of National Economic and Development Authority (NEDA) Interagency Committee on Trade in Services. DSTSD also represented the Commission on the following Data Security and Technology related meetings/public hearings and submitted DPA related inputs; Orientation and Workshop on Data Privacy Act of 2012 conducted in Navotas Health Care Center and GSIS Annual InfoSec Awareness Month. Lastly, DSTSD is fortunate to have been invited by UNTV for two (2) interviews discussing the current ransomware attacks. The first interview was held in their studio in relation with the morning TV program “Good Morning Kuya”, and the other one was conducted in Meeting Room 1 at the GSIS Building.

TECHNOLOGICAL TRENDS AND DEVELOPMENT With regard to the rapid rise of technology, DSTSD identifies and analyzes technological trends and developments in electronic platforms and digital media. Numerous seminars and trainings were participated by the representatives of the division to further improve their knowledge in cybersecurity. DSTSD took part in the Joint Cyber Security Working Group Cyber Investigation Training, What the Hack Cyber Security Training, Information Security Officers Group (ISOG) KISS Summit 2017, Web Application IT Security & Cyber Defense Forum, and Office 365 training. Apart from participating in the different events, DSTSD managed to create Data Processing System Online Registry and a justification for CyberCon Asia 2017. DSTSD also partnered with DICT Undersecretaries, Business Profiles, Laggui Associates and Israeli Ambassador Secretary Rodolfo A. Salalima on Cyber Security and Data Privacy Capacity Building. ISO COMMENTS As stated earlier, NPC, a member of the ISO Sub Committee 27 Working Group 5 has submitted contributions/comments on behalf of the

Philippines. These will be used in the development of international privacy and data protection standards. DSTSD submitted Philippine positions on the following topics: Identity proofing & Identity Assurance Framework The main concept of identity proofing is to verify the identifying attributes of an individual. The best way to proceed it is to have all the information readily available for verification or comparison. DSTSD proposed the addition of guidelines to collect only the necessary data in order to prove an individual’s identity. Privacy Reference & Phase II Consideration on Smart Phones DSTSD suggested to consider the Rights of a Data Subject at each stage of the Data Life Cycle. Likewise, it specified and described the essential components of the framework. Furthermore, DSTSD contributed to WG 5 Study Period on a Framework of enhanced authentication in tele biometric

environments using presentation attack detection mechanisms. Specifically, it suggested to include Privacy in Day-to-Day Information Life Cycle Operations, Managing Personal Data Security Risks, and Compliance with Data Breach Management Requirements. Aside from the topics given above, DSTSD also provided comments on the Privacy Framework, Privacy in Smart Cities, Identity Assurance Framework, Privacy Engineering and Privacy Management.

IMPLEMENTING PRIVACY AND DATA PROTECTION MEASURES The National Privacy Commission has devised various means to address possible threats in an agency. DSTSD is entrusted to identify and assess these measures and revise the early versions of the Data Privacy Accountability and Compliance Framework, Guidelines, and Checklist. The Data Privacy Accountability and Compliance Framework is a visual representation meant to help personal information controllers (PICs)

2017 MILESTONES

and processors (PIPs) in complying with the Data Privacy Act of 2012. The Data Privacy Accountability and Compliance Checklist, commonly known as the 32-point checklist, is a step-by-step guide the NPC recommends for agencies to follow. The Data Privacy Accountability and Compliance Guidelines contain specific documents to be prepared and submitted in relation to the Compliance Checklist.

RISK ASSESSMENT The NPC as a government agency itself, is not excluded from complying with the DPA. After appointing its own Data Protection Officer (DPO), DSTSD is tasked with two things: first, enhance the first version of the Privacy Impact Assessment (PIA) Template; and second is conduct Risk Assessment inside the Commission. The team conducted the PIA of the Biometrics System of the Commission using its newest version. This led to an improved content of the template which agencies can use in conducting their risk assessments.

ISSUANCE OF GUIDELINES Unauthorized disclosure is

RULE MAKING

one of the common violations of the right to privacy which the NPC is mandated to protect. DSTSD has released a set of guidelines entitled “Redacting Personal Data in Electronically filed Documents”. Its main objective is to ensure that personal data are properly redacted by completely removing the information from the document, whether in electronic or physical format, as opposed to obscuring the information or hiding it.

newly approved circulars and advisories. It was successfully released last December and is being used by organizations in the Philippines.

DEVELOPMENT OF STANDARDS

NPC WEBSITE CONTENT MAKING

One of the functions of DSTSD is to develop standards for physical and technical security measures for data protection using most appropriate standard recognized by the information and communications technology industry, including security standards for the processing of sensitive information in government. The following templates were studied, refined and submitted last year; Privacy Notice, Self-Assessment Template, and General Data Protection Regulation (GDPR) and Data Portability.

DPO SUMMIT INVOLVEMENT With the NPC having a total of twelve (12) DPO Summits conducted last year, DSTSD, together with the other divisions, helped plan, organize, and facilitate each event.

NPC successfully launched privacy.gov.ph last year. DSTSD contributed by providing substantive content about emerging technologies, present threats and vulnerabilities, and recommendation of standards followed worldwide. 6 REFERENCES Information Security Resources (n.d) Retrieved February 23, 2018, from https://www.sans. org/information-security/ https://www.iso.org/ committee/45306.html NPC Privacy Toolkit Sec. 32, DPA Redaction Draft Manual

NPC PRIVACY TOOLKIT The NPC Privacy Toolkit serves as the guide of every DPO. DSTSD helped to improve the current version by incorporating the

ADVISORY ADVISORY OPINIONS This 2017, the PPO produced sixty-nine (69) advisory opinions on the interpretation of the provisions of the DPA, IRR, and other issuances of the NPC. These were issued in response to inquiries from different stakeholders from both the government and the private sector. Some of these advisory opinions gave light to the data privacy implications of certain government initiatives. These included the Securities Exchange Commission’s Reverse Search Module, the Department of Foreign Affairs’ proposed software application for monitoring Filipino nationals working and residing abroad, Philippine National Police’s request of personal data from the Department of Social Welfare and Development (DSWD), and data sharing concerns of the AntiMoney Laundering Council (AMLC), among others. Several government agencies also sought formal guidance on the application of the Data Privacy Act to its operations, such as the Philippine Health Insurance Corporation (Philhealth), Bangko Sentral ng Pilipinas (BSP), Philippine Deposit Insurance Corporation (PDIC), Department of Finance (DOF), Commission on Elections (COMELEC), Social Security System (SSS), Tourism Information Enterprise Zone Authority (TIEZA), and APO

Production Unit. Additionally, the PPO created Advisory Opinions that addressed pressing issues directly affecting the public at large. In 2017, the Office crafted an advisory opinion concerning online merchants’ right to retain credit card details of their customers. In doing so, the following should be taken into consideration: 1.

Retention of personal data should be only to the extent required for the fulfillment of the purposes for which the data was obtained, unless data subjects consent to allow longer retention periods; Data subjects should be adequately informed of the nature and extent of the processing of their personal data; and Security measures for the protection of personal data should be implemented.

The issue of how the Data Privacy Act affects employeremployee relationship was also tackled in several Advisory Opinions. Some of these opinions are regarding

consent of employees for use of their personal information for marketing purposes and government requirements, employer’s access to employees’ healthcare service usage, and validity of consent in an employment contract, to name a few. Of note also is the issue on whether a mobile number is considered personal information or not. To determine this, a distinction was made whether it is a postpaid number or a prepaid one. The former is personal information since telecommunication companies assign a specific number to each individual subscriber while the latter only becomes personal information once activated and associated or linked to an individual subscriber. Another is regarding information available in the public domain. In several advisory opinions, it was stated that the DPA still applies since there is no express mention that personal data which is available publicly is outside of its scope. Moreover, even if the data subject has provided his or her personal data in a

2017 MILESTONES

publicly accessible platform this does not mean he or she has given blanket consent for its use for whatever purposes.

POSITION PAPERS AND COMMENTS The Privacy Policy Office likewise prepared policy papers and comments on behalf of the Commission on proposed legislations both from the House of Representatives and the Senate. The PPO submitted its comments and proposed revisions on bills such as the Philippine HIV and Aids Policy Act, proposed amendments on the Bank Secrecy Law, and proposals for SIM Card Registration, No-Call and Text Registry, Social Media Registration, and National ID System, among others. The PPO was likewise involved in the crafting of the Implementing Rules and Regulations (IRR) of Republic Act No. 10929 or the Free Internet Access in Public Places Act. These submissions put emphasis on the inclusion of data privacy and protection provisions in the proposed bills, as well as provided

RULE MAKING ADVISORY

recommendations on specific issues, applying a personal data protection perspective on these proposals. PPO personnel, as representatives of the Commission, acted as resource persons in Senate and House hearings on these bills. Their attendance ensured that data privacy provisions are incorporated in the proposals, when necessary. Moreover, this gave an opportunity for the PPO to share and impart data privacy awareness and understanding to the country’s legislators in the hopes that they may consider data privacy and personal data protection as an important consideration in formulating legislation. Review of Documents from Stakeholders. Part of the PPO’s responsibilities is the review of policies, guidelines, standards, and codes relative to data privacy from stakeholders from different sectors. In 2017, these included review of data sharing agreements, consent forms, and personal data protection policies from organizations in the public and private sector. Pursuant to its mandate to review standards and codes relating to organizational security measures for protection of personal data, the PPO took part in the review of the privacy code

for the health sector which was spearheaded by the Department of Health. PPO was involved in the public consultation regarding the said code as well as prepared in-depth comments and recommendations.

ADVISORY OPINIONS

SEC’S REVERSE SEARCH MODULE

DFA’S PROPOSED MONITORING SOFFTWARE APPLICATION

PNP’S REQUEST OF PERSONAL DATA FROM THE DSWD

DATA SHARING CONCERNS OF AMLC

PUBLIC EDUCATION For a fairly new agency like the NPC, public education and awareness are central in establishing the relevance of data privacy to stakeholders, both data subjects and personal information controllers & processors. As part of the communication strategy, the NPC tapped digital and traditional communication channels in 2017 to reach and engage stakeholders.

1,000.9 % FACEBOOK

529.4 % TWITTER

In light of making the data privacy law and data privacy protection much easier for mass consumption, efforts were directed towards putting together outputs that are simple, concise and fun. In one year, NPC’s Facebook page grew in Likes by 1,000.9 %, while the Twitter page grew in Followers by 529.4%. Since the inception of the online information and awareness campaign, the Commission has gained an audience of over 46,404 users in Facebook, 856 in Twitter, and 169 in Youtube by December 2017. A total of 458 Facebook posts were made in 2017, with an average reach of 5,142 users per post. Notably, there were social media materials that reached as many as 347,038 users in just one post.

2017 MILESTONES

The team had a goal in mind: to heighten engagement with the Filipino public online, thus elevating awareness and discourse on data privacy and security. Taking on such an endeavor is no easy feat; however, the team took advantage of the high online presence of Filipinos, and rode along with trending topics and issues to incorporate good data privacy protection practices in NPC materials.

From writers to artists, tasks were meticulously laid out and executed to meet this goal. Content buckets such as related news, engagement posts, privacy push, and in review made sure that the materials produced were always new and engaging.

M PL Y CO

Social media proved to be a cost-efficient communication channel for the NPC. In 2017, the Commission continued to be present in three social media platforms: Facebook (@privacy.gov. ph), Twitter (@PrivacyPH), and YouTube (National Privacy Commission). The Commission easily reached the public through these accounts with daily content that revolve around the concepts of privacy in the Philippines—from updates on the Commission and its activities, to everyday tips that can protect one’s personal data privacy.

SOCIAL MEDIA

W MORE O N

PUBLIC EDUCATION

AIN

WEBSITE After its launch in April 2017, the NPC website continually met its objective of being a knowledge hub for Data Protection Officers (DPOs) and Personal Information Controllers and Processors (PICs/PIPs), when it comes to DPA compliance. It served as repository of information on various NPC issuances— Memorandum Circulars, Advisories, Advisory Opinions and Legal Opinions, data subject rights, knowledge materials, presentations and latest updates about the Commission. The design enabled PICs, PIPs and data subjects to easily explore the website depending on their objective (‘I want to know more’, ‘I want to comply’, ‘I want to complain’). During the height of the registration period of DPOs and their respective PIC/PIP Data Processing Systems, the website primarily catered to compliance concerns.

EVENTS To quickly raise awareness and facilitate compliance among PICs and PIPs through their DPOs, the NPC held 11 DPO Assemblies, 14 DPO Briefing sessions, and 14 PrivaMoves sessions (Data Privacy Compliance Workshop/Roadshow). A total of 4,013 stakeholders nationwide were reached through these events. Each event type catered to a different set of participants. Both DPO Assemblies and Briefings were aimed at engaging the DPOs of central offices of organizations, located in Metro Manila. But DPO Assemblies differed in approach as each session was devoted to a specific sector or industry, while each DPO briefing had a mix of participants from different sectors. In 2017, the DPO Assemblies covered the government, banking, telecommunications, higher education, BPO, media, health, retail, life insurance, pharmaceutical sectors.

On the other hand, the Roadshow responded to the demand for data privacy compliance orientation outside Metro Manila, with local operations. So far, the roadshow has reached ten cities (Cebu, Cagayan de Oro, Butuan, Zamboanga, Iloilo, Dumaguete, Dagupan, Legazpi, Batangas and Sorsogon) in 14 separate sessions. Except for the DPO Briefings, said activities were conducted through the substantial support of NPC partners: which are industry partners for the DPO Assemblies and local ICT councils for the Roadshow. As such, NPC incurred lesser cost in implementing its awareness initiatives. Apart from these NPCorganized events, the Commission also responded to 507 speaking invites by various organizations all throughout the year. NPC resource speakers talked about data privacy topics ranging from the DPA overview, jumpstarting DP compliance, to the conduct of Privacy Impact Assessment.

566

invites attended by the Commission

DPO Assemblies

KNOWLEDGE MATERIALS To more effectively reach its target audience, the NPC produced the following knowledge materials and publications in 2017: 1.

Print Media Advertisement of Memorandum Circulars No. 17-01

Manila Bulletinâ&#x20AC;&#x2122;s Privacy Commissionerâ&#x20AC;&#x2122;s weekly columns

DPO Forum (online newsletter)

Data Subject Intro Poster (Gaano kahalaga ang data mo?)

Compliance Poster (5 Pillars of Data Privacy Accountability & Compliance)

Wag magpabiktima video

Ano nga ba ang data privacy video

Handle personal info with care video

Social Media Materials

10 Data Privacy Roadshows

2017 MILESTONES

PUBLIC EDUCATION

PUBLIC ASSISTANCE As part of the NPCâ&#x20AC;&#x2122;s commitment to enhance the delivery of frontline services to the public, a process review of frontline services was done to reduce processing time. The turnaround time of 3-45 working days in 2016 was cut to 1-3 working days for general inquiries and 3-15 working days for inquiries relating to compliance and policy in 2017. Aside from the continuous assessment of frontline service delivery and on-going revision of the Citizenâ&#x20AC;&#x2122;s Charter, the Public Assistance unit also started preparing the development of a public assistance manual- an internal guideline for NPC frontline staff.

FAST NUMBERS Total number of inquiries received via e-mail, Facebook, and AskPriva in 2017

In the same year, the establishment of AskPriva, an online assistance and inquiry system, contributed in providing citizen-centric services. It served as an additional channel with which the public can lodge their inquiry, suggestion or any other feedback. With this addition coupled with the wider advocacy initiative, the average number of inquiries received per month rose from 5 in 2016 to 218 in 2017. The rate of inquiries acted upon by the NPC improved from 48.86% in 2016 to 73% in 2017.

Average inquiries received per month Walk-in inquiries acted upon by the NPC Phone-in inquiries acted upon by the NPC Inquiries received via e-mail, Facebook, and AskPriva acted upon by the NPC

2017 MILESTONES

PUBLIC EDUCATION

2626 218 100% 100% 73%

COMPLIANCE & MONITORING The National Privacy Commission (NPC) is the country’s independent body mandated to administer and implement the Data Privacy Act of 2012 (R.A. 10173), and to monitor and ensure compliance of the country with international standards set for data protection. As an integral division of the Commission, the Compliance and Monitoring Division shall have the following core functions: 1.

Ensure compliance of personal information controllers with the provisions of the DPA Monitor the compliance of other government agencies or instrumentalities on their security and technical measures

and recommend the necessary action in order to meet minimum standards for protection of personal information pursuant to the DPA 3.

Provide assistance on matters relating to data protection at the request of a national or local agency, a private entity or any person Assist Philippine companies doing business abroad to respond to data protection laws and regulations Manage the registration of the personal information processing system of contractors and its

Corollary to this mandate, the following are the highlights of the CMD accomplishment for 2017:

employees entering into contracts with the government that involves accessing or requiring sensitive personal information 6.

Adopt a system for registration of data processing systems in the country Assist in the compilation of agency system of records and notices, including index and other finding aids, for publication; and Manage requests for off-site access in government data processing systems.

COMPLIANCE CHECK VISITS

partial check compliance letters (sent)

partial check compliance (received)

100

speakershipsawareness summits & dpo briefings

4,656

Phase i dpo registration

2017 MILESTONES

The CMD conducted seven (7) compliance check visit to the following PICs: 1.) Bank of the Philippine Island 2.) West Visayas State University Medical Center 3.) Google Philippines, Inc. 4.) Department of Education 5.) Healthway Medical, Inc. 6.) SuySing Corporation 7.) Philippine International Life Insurance.

A total of 47 Partial Check Compliance Letter were sent to the identified PICs by the Commission. Said letter were sent primarily to require the latter to send documents or policies as embedded in the 32-point compliance to check their level of compliance with the DPA.

Out of 47 PICs who received the Partial Check Compliance Letter, eight (8) of which complied and these are the following: 1.) Holcim Philippines, Inc. 2.) JR & R Distributors 3.) Magnolia, Inc. 4.) Maynilad Water Services, Inc. 5.) Mitsubishi Motors Philippines Corporation 6.) Siemens Corporation 7.) Supervalue, Inc. 8.) Victorias Milling Co., Inc.

+As part of the public education program of the Commission, CMD personnel were invited and served as guest speaker for the awareness, summits and DPO briefing apart from the compliance and monitoring functions.

A total of 4,656 PICs submitted their respective DPO Registration form. This is a manifestation that PICs are taking the initial phase towards compliance with the DPA.

COMPLIANCE & MONITORING

3 Focus group discussions DPO,DPS, ccv

dpo summits’ participation

online dps dpo registrtation

Members from the different sectors were invited during the Focus Group Discussion to get their respective view and opinion with respect to the draft Data Protection Officer Designation, Data Processing System Circular and Compliance Check Visit Guidelines.

Through coordination with other divisions, CMD personnel participated in the following DPO Summit per sectors: 1.) Government Agencies 2.) Bank 3.) Telecommunications 4.) Education 5.) BPO 6.) Internet Society and Social Media 7.) Private Hospital 8.) Retail Industry 9.) Insurance NonLife 10.) Pharmaceutical 11.) Local Government.

Data Processing System was developed that primarily handle records of the Data Protection Officer for registration purposes.

Others: ●●

Setting Up Local Area Network (for encoders)

●●

300 Plus - Inquiries (phone calls, emails and walk-ins)

●●

300 Plus Follow ups for DPO Registration (NGAs)

●●

Development CMD Encoding System (Software)

●●

Participation in the Development of Process Flow for Phase I and Phase II Registration System

●●

Membership in the BAC TWG and ICT Task Force

●●

Two Key positions in the Employee Associations (Atty. Vida Zora Bocar and Mr. Cleo Martinez as President and Vice-President, respectively of the NPC Employees Organization.)

ENFORCEMENT The Legal and Enforcement Office (LEO), comprised of three (3) divisions namely: Complaints and Investigations Division, Legal Division and Enforcement Division, is at the core of the National Privacy Commission (NPC). This Office handles complaints pertaining to alleged violations of Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012 (DPA), including management of breach notification. Of importance is its function related to enforcement of privacy rights, which is handled by the Enforcement Division. In 2017, Enforcement Division continued to perform its mandate. It assisted the Office of the Privacy Commissioner (OPC) in the formulation of policies and procedure to ensure enforcement of Resolutions and coordination with other government agencies. It coordinated with other law enforcement agencies such as the Joint Cyber Security Working Group, Department of Information and Communications Technology-Cybercrime Investigation and Coordinating Center (DICTCICC), the Bangko Sentral ng PIlipinas, the Anti-Money Laundering Council (AMLC), the United States Federal Bureau of Investigation, the Philippine National PoliceAnti-Cybercrime Group and the National Bureau of Investigation. It also worked with the DICT-CICC for the take down of adult-section of the Manila Backpage.

To reinforce the rights of the data subjects, the Enforcement Division also served as resource persons and legislative liaisons during Congressional/ Senate hearings on the following proposed bills:

1.BPI Data Breach; 2.SIM Card Registration; 3.No Call/No Text Registry; 4.Amendment of Republic Act No. 10175; 5.UMID+; 6.Fake News; 7.National Identification (ID) System; 8.Privacy of Communications Act of 2018; and 9.Mobile Number Portability Act.

LEGAL DIVISION It also attended World Bank roundtable discussions on National ID System, Technical Working Group on Toll Collection Interoperability, Freedom of Information Exceptions, and the NPC-BSP TWG. Likewise, the Division prepared drafts of Memorandum of Agreement with different institutions including the International Rice Research Institute. These proposed agreements cater to the implementation of rules for data protection and the strengthening of cooperation among various stakeholders. To assist the OPC in the internal matters of the Commission, the Division prepared the proposed NPC Internal Rules and the draft guidelines on Complete Staff Work. With respect to Administrative matters, the Division assisted in the procurement of supplies and services necessary for general support of the Commission, and assisted the Bids and Awards Committee-Technical Working Group on PostQualification Evaluations. As part of its effort to strengthen the enforcement mandate of the Commission, the Division envisions 2018 as a year where strong measures to protect data rights will be implemented.

2017 MILESTONES

As a national government agency catering to various stakeholders, the National Privacy Commission (NPC), its officers and employees are all heavily tasked to deliver service at the level of quality expected and deserved by the public. On the way to accomplish their duties, it is, however, ubiquitous to encounter obstacles that may challenge them and even the institution itself. One of the challenges that may be easily anticipated is the filing of lawsuits against the officials and employees of NPC. Hence, the Legal Division (LD), as the general counsel of the NPC, took steps to identify possible areas of risk and to implement programs that will help manage the same. Being a foreseeable situation, it is the conviction of the LD that the foremost intervention in this case is to equip all the concerned employees with the basic legal knowledge of ordinary processes and issues which are the usual subjects of charges against government entities and their officials and employees.

entitled â&#x20AC;&#x153;How to Get Away with Lawsuits: A Law Lecture Seriesâ&#x20AC;? was created and became the flagship program of the Legal Division for 2017. Through this project, six (6) legal skills training for NPC employees were conducted covering significant topics such as: (1) Procedural and Practical Guide in Conducting Public Bidding, (2) Procurement Training for End-Users, (3) Procurement Planning and Compliance, Procedural and Practical Guide in Conducting Alternative Methods of Procurement and Other Special Topics, (4) Principles of Auditing and Accounting, and Preparation of Financial Reports, (5) Code of Conduct and Ethical Standards for Public Officials and Employees, and (6) Anti-graft and

Corrupt Practices Act and Related Laws. Apart from this program, LD staff members also had the privilege to represent the Commission in various events like Senate hearings, NPC LGU Roadshow, Data Protection Officers (DPO) Briefings, and Data Privacy Orientation Seminars. Also, the Legal Division continuously provided legal assistance to the Commission through the provision of legal references, conduct of legal researches, review and drafting of contracts, and issuance of legal opinion that paved the way for the commencement and subsequent completion of several projects and activities of the NPC.

Thus, a law lecture series

LEGAL SKILLS TRAINING

ENFORCEMENT

Procedural and Practical Guide in Conducting Public Bidding, Procurement Training for End-Users Procurement Planning and Compliance, Procedural and Practical Guide in Conducting Alternative Methods of Procurement and Other Special Topics

Principles of Auditing and Accounting, and Preparation of Financial Reports Code of Conduct and Ethical Standards for Public Officials and Employees Anti-graft and Corrupt Practices Act and Related Laws.

COMPLAINTS & INVESTIGATION

As of December 2017, the nature of cases received are as follows: No. of Complaints

36.20%

Improper Disposal

1.36%

Unauthorized Access/Intentional Breach

6.33%

Unauthorized Disclosure

0.90%

Rights of a Data Subject

4.07%

Security of Personal Information

33.48%

General Inquiry

7.69%

Cybercrime

6.33%

Theft

1.36%

Consumer Protection

1.36%

Credit Card

0.45%

Drone

0.45%

Total

221

100.00%

CLASSIFICATION

Unauthorized Processing

The bulk of the complaints for 2017 pertained to alleged unauthorized processing of personal information and security of personal information. It is followed by general inquiries concerning the rights of data subjects.

The Complaints and Investigation Division (CID) continued to carry out its function as the champion in hearing complaints and in instituting investigations concerning alleged violations of the DPA, including handling reports on security breach. Part of its function is the preparation of fact-finding reports based on the complaint and evidence gathered during its investigation with the end view of recommending appropriate actions to the Commission En Banc.

2017 MILESTONES

Out of 221 complaints received, 153 complaints were dismissed either for failure of the respective parties to prosecute or for being beyond the NPCâ&#x20AC;&#x2122;s jurisdiction. For those cases dismissed based on lack of jurisdiction, referrals to appropriate regulatory agencies were made. Some of the parties, however, agreed to

compromise. Few cases were elevated to the Commission En Banc for appropriate action/resolution. Lastly, the CID employed measures to increase awareness on data privacy and protection through the conduct of seminars, trainings and workshops for various controllers or processors as part of reinforcing the NPCâ&#x20AC;&#x2122;s mission to sustain a culture of privacy among Filipinos.

COMPLAINTS AND INVESTIGATION

221 COMPLAINTS RECEIVED

INTERNAL MANAGEMENT

The FPMD has also prepared the Commission’s proposed FY 2018 Budget, in time for the budget hearings with the Department of Budget and Management, the Senate Committee on Finance, and the House of Representatives Committee on Appropriations. The actual obligations per NPC Programs/Activities/Projects (PAPs) for FY 2017 and utilization budget rate are summarized below:

SUMMARY OF ACTUAL OBLIGATIONS PER PAP

FINANCE AND ADMNISTRATIVE OFFICE The Financial, Planning and Management Division (FPMD) provides planning support and financial direction to help steer the Commission towards its fiscal targets for the year. To establish efficient and optimum use of resources, the FPMD has consistently played its critical role in the formulation and monitoring

of annual and long-range Programs/Activities/Projects (PAPs). This, to ensure that the commitments and performance are aligned with the Commission’s goals. The division also spearheaded the NPC Strategic Planning Workshop; Midyear Performance Assessment; and 2018 Planning Workshop in June 2017 and November 2017, respectively. The

PAP

division also worked closely with the Human Resource Development Division in conducting a series of workshops related to the crafting of individual, division and office performance commitments review, to pave the way the agency’s establishment and implementation of its Strategic Performance Management System (SPMS).

Actual Obligation

Number of Circulars and other issuances on rules and regulations (ex. IRR, Data Security Standards/Privacy Guidelines, Procedures)

67,006.00

Number of publications (ex. Compilation of agency system or records and notices, laws, case reports)

352,598.40

Number of Public Information/Education Projects implemented

5,596,719.16

Number of private sector and government agencies representatives meeting/coordination

1,191,996.25

Number of Registration system established (ex. Government contracts) Percentage of complaints and investigations resolved

2,072,248.97

Number of International agreements/membership entered for cooperation or coordination (ex. Cross-border enforcement agreement)

2,930,792.41

Total

14,318,974.16

Allotment

Expenditures

Utilization rate

Personnel Services

57,069

51,075

89%

MOOE

99,293

78,407

79%

Capital Outlay

51,446

47,341

92%

207,808

176,823

85%

Total

2017 MILESTONES

35,364.00

Number of Registration system established (ex. Government contracts)

Particulars

2,072,248.97

INTERNAL MANAGEMENT

ADMINISTRATIVE SERVICES DIVISION The Administrative Services Division (ASD) acts as one of the housekeeping units of the Commission aimed at instituting cost-effective methods in the areas of records management, general services, cashiering, procurement and property/supplies management.

The division has also lent its technical expertise via its membership in various NPC-created committees such as, the Bids and Awards Committee, the Internal Affairs Committee, Task Force Office Rental, the Performance Management Team, and the Fees Committee.

387 245 11

With a view in establishing effective and efficient systems, processes and procedures, the ASD initiated the use of the DOST-Electronics Records Management System, which allowed for the easy tracking of documents, thus facilitating timely decision-making. Through the division, the NPC has also automated the procurement of airline tickets, both for domestic and foreign travels. The ASD issued several guidelines to promote the efficient systems of procurement, maintenance or repair and use of motor vehicles and management of NPC-owned properties and equipment, thus putting in place internal management systems or controls. Among these are the (a) Policy on Request for Issuance of Supplies, Properties and Equipment; and the(b) Policy on the Maintenance, Repair, and Availment/Dispatch of Motor Vehicles and Allocation of Fuel. The division also helped ensure the timely payment of NPC obligations amounting to a total of P78,684,868.99 to various creditors. Instrumental to achieving this was the ASDâ&#x20AC;&#x2122;s management of funds collected and deposited to the bank within 24 hours from receipt. Likewise, the ASD takes the lead in the planning, management and procurement of NPCâ&#x20AC;&#x2122;s property, plant, and equipment registering a total of 387 units IT and Office Equipment, 245 pieces of Furniture and Fixtures, and 11 Motor Vehicles.

2017 MILESTONES

units IT and Office Equipment pieces of Furniture and Fixtures

Motor Vehicles

Overall, the division has greatly contributed to ensuring higher obligation rate at fiscal year-end by expediting the processing of purchase requests for the procurement of goods and services, increasing the rate of absorptive capacity of the NPC to utilize its funds under the General Appropriations Act.

INTERNAL MANAGEMENT

HUMAN RESOURCE MANAGEMENT

BY EDUCATIONAL ATTAINMENT Particulars

Human resource management is one of the most crucial part in any organization. For that, the NPC presents its 2017 personnel and its personnel development initiatives.

Filled

Unfilled

COS

Consultant

Total (has assumed position)

OED

PIAD

DASCO

CMD

DSTD

CID

FPMD

ASD

HRDD

PDD

PRD

TOTAL

123

111

PPO

College Undergraduate

College Graduate

Masteral Degree

Plantilla COS

1 62

34 24

Non-Plantilla

FAO

Total

OPC

LEO

HS Graduate

Doctorate Degree

Plantilla

Authorized

Total

(Unit with 72 units earned)

NUMBER OF PERSONNEL

Division

BY SEX

2017 MILESTONES

PERSONNEL TRAINING

79%

Plantilla personnel completed the above-mentioned trainings.

INTERNAL MANAGEMENT

Summary of Trainings In-house